PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC al…

PyJWT, a JSON Web Token implementation in Python, contains a vulnerability prior to version 2.13.0 where the library fails to validate the use of JSON Web Keys in HMAC algorithms. This flaw allows attackers to use the issuer's public key as the secret key for HMAC algorithm verification, potentially leading to token forgery and authentication bypass. The vulnerability affects JWT verification when both asymmetric and HMAC algorithms are supported. The issue has been fixed in PyJWT version 2.13.0.